listen to this article:
Compliance with privacy and security regulations is an essential part of an organization’s operational process. In the financial industry, the decision to use encryption is often mandated by one or more of the regulations that the organization is subject to. Below, we review a number of relevant regulations and how they relate to encryption.
Payment Card Industry Security Standards Council assists merchants and financial institutions understand and implement standards for security policies, technologies and ongoing processes that protect their payment systems from breaches and theft of cardholder data. Cardholder data should be unreadable anywhere it is stored by using strong cryptography (i.e. disk encryption) with associated key-management processes and procedures. Secret and private keys used to encrypt/decrypt cardholder data should be stored within a secure cryptographic device. Strong cryptography and security protocols (i.e. TLS, IPsec, and SSH) should be used to safeguard sensitive cardholder data during transmission over open, public networks.
NY DRS comprises of a new set of regulations from the New York State Department of Financial Services that places new cybersecurity requirements on all financial institutions operating in NY state. This regulation requires implementing encryption to protect nonpublic information held or transmitted by the covered entity and 3rd party service providers, both in transit over external networks and at rest.
The General Data Protection Regulation imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the EU, or that collect and analyze data tied to EU residents. Requires the use of data encryption, pseudonymization, and tokenization to protect the personal data (PII) of EU citizens.
The Gramm–Leach–Bliley Act is US federal law that requires financial institutions to explain how they share and protect their customers’ private information. Encryption of the account number is one of the methods to limit sharing account number information for marketing purposes.
The Securities & Exchange Commission issued guidance for publicly traded companies as to disclosure obligations with respect to matters involving cybersecurity risk and incidents, as these issues are among the most significant factors that make an investment in the company speculative or risky. It also addresses the importance of cybersecurity policies and procedures and the application of disclosure controls and procedures.
Commodity Futures Trading Commission agency of the US government regulates futures and options markets aiming to protect market users and their funds, consumers, and the public from fraud, manipulation, and abusive practices related to derivatives and other products. Requires the use of encryption for certain data types and transfers.
Financial Industry Regulatory Authority is a non-governmental organization that regulates member brokerage firms and exchange markets. A regulatory notice requires encryption of information provided via a portable media device.
Investment Industry Regulatory Organization of Canada is a national self-regulatory organization, overseeing all investment dealers and trading activity on debt and equity markets in Canada. The provision requires protecting customer information which may include the encryption of such data, further protecting the encryption keys to ensure the confidentiality of client information.
Financial Conduct Authority is a financial regulatory body that regulates financial firms providing services to consumers and maintains the integrity of the financial markets in the UK. Require encryption of customer data in motion, at rest, and backed-up.
Leveraging Encryption to Adhere to Financial Privacy Regulations
The financial industry today faces the double challenge of securing larger and larger volumes of sensitive information and addressing a growing range of security and privacy regulations. With an obvious need to adhere to these regulations, to defend against data breaches and to preserve a reputation for trustworthiness, organizations are faced with an increased complexity for implementing encryption. An expert view is required for institutions to implement the optimal encryption schemes that address their particular environment and operations.